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Abstract 

We consider quantum key distribution in the device- independent scenario, i.e., where the 
legitimate parties do not know (or trust) the exact specification of their apparatus. We show how 
secure key distribution can be realized against the most general attacks by a quantum adversary 
under the condition that measurements on different subsystems by the honest parties commute. 

1 Introduction 

The security of quantum key distribution is based on the laws of physics and does not rely on any 
(unproven) assumption of computational hardness. It does, however, assume that the honest parties 
can control their physical devices accurately and completely. If an implementation of quantum key 
distribution does not meet this requirement, its security may be compromised. For example, the 
BB84 quantum key-distribution protocol [BB84] becomes completely insecure if the source emits 
several instead of single photons or if the measurement device measures only in one instead of two 
different bases. Experimentally, several successful attacks making use of imperfections of the physical 
devices have lately been implemented (see, e.g. |Mak091 |XQHK10j lLWW+10] b 



The goal of device-independent quantum key distribution is to show the security of key distribu- 
tion schemes, where the exact description of the particle source (in particular, the dimension of the 
Hilbert space they act on) and the exact specification of the measurement apparatus are unknown. 
The honest parties can only check properties of the input/output behaviour of their physical system 
described by statistical tests. 

Two approaches to achieve device-independent quantum key distribution have been investigated: 
the first uses the validity of quantum mechanics with all its formalism, while the second bases 
security only on the non-signalling principle, i.e., the fact that the parties cannot use their physical 
apparatus to send messages (in particular, measurements on an entangled quantum state cannot be 
used for message transmission). It can be shown that this later condition is strictly weaker and that 
there exist examples of systems which are secure against quantum adversaries, but insecure (or only 
partially secure) in a model built on the non-signalling principle only. The latter can therefore lead 
to unnecessarily low key rates or even the impossibility to create a key in certain regimes. 

Our contribution: We give a general security proof of device-independent quantum key dis- 
tribution against the most general attacks by any adversary limited by quantum mechanics under 
the sole condition that whenever the key distribution protocol prescribes measurements on separate 
subsystems, then these measurements commute. This condition can, for instance, be enforced by iso- 
lating the individual subsystems or by performing the measurements at space-like separated points. 
Furthermore, it is understood that the legitimate parties have access to a source of randomnes^] 
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1 lt is already sufficient to have a source producing a small number of random bits. As shown in IC0IO6I |PAM + id] 
this randomness can then be expanded using a device-independent randomness expansion protocol. 
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and that none of the devices leaks information to the environment. Our proof method applies to a 
generic class of entanglement-based quantum key-distribution protocols |Eke91j . In particular, we 
show that a protocol similar to the one proposed originally by Ekert reaches an asymptotic key rate 
of one secure bit per channel use in the noiseless limit even in the device-independent scenario with 
commuting measurements. 

The proof method we use is based on a criterion by Navascues, Pirionio and Acin [NPA07] . to 
bound the information a (quantum) adversary can have about the legitimate parties' measurement 
results by a semi-definite program. Our main technical contribution is to show that when the honest 
parties share several systems with commuting measurements, then this semi-definite program follows 
a sort of product theorem (Theorem 2J, i.e., an adversary cannot guess the outputs of several systems 
any better than trying to guess each output individually. The resulting security proof works for any 
alphabet size of the inputs and outputs to the system and does not use any Hilbert space formalism, 
only convex optimization techniques. 

Our security proof can also be applied in the non-device- independent scenario, i.e., where the 
properties of the devices are (partially) known (or trusted), leading to a higher key rate. 

Our technique also implies that privacy amplification, i.e., the random hashing usually performed 
at the end of the protocol to turn a partially secure raw key into a fully secure key, can be replaced 
by a deterministic function, the XOR. 

Related work: The problem of device-independence has been introduced and studied by May- 
ers and Yao [MY98], who showed security against an adversary limited to individual attacks in 
the noiseless scenario. The same scenario but allowing for noise has been treated in [MMMO06J. 
A device-independent quantum key distribution scheme secure against collective attacks has been 
given in [ABG + 07j . If the devices are memoryless, this scheme can even be shown secure against 
the most general attacks, using a plausible but unproven assumption, as shown in |McK10j . 

Device-independent key distribution against adversaries only limited by the non-signalling prin- 
ciple has first been studied by Barrett, Hardy and Kent [BHK05J. Key distribution schemes secure 
against (non-signalling) individual attacks have been proposed and analysed in [AGM06| IAMP06| 
ISGB + 06] . Under the additional assumption that a non-signalling condition holds between all sub- 
systems, security against the most general attacks has been proven in [Mam IHRWIOI lMFW+09] . 

Outline: We will first introduce the mathematical framework needed to describe key distribu- 
tion protocols and define their security (Section [2]). In Section [3] we review the semi-definite criterion 
by Navascues, Pironio and Acin [NPA07J to bound the set of quantum systems. In Section H] we 
study how to bound the security of a single system. Our main technical result relates the security 
of a single system to the security of many systems and is given in Section [5j Using these results, 
we can then give a general security proof for device-independent quantum key distribution. We first 
treat the case when the marginal systems shared by the honest parties are independent (Section [6]), 
before removing this requirement in Section [JJ Finally in Section [HJ we apply our result to a specific 
protocol which is secure in the device-independent scenario. 

2 Framework 

2.1 Systems 

We define security in the context of random systems |Mau02] . A system is an abstract device 
taking inputs and giving outputs at one or more interfaces and is characterized by the probability 
distributions of the outputs given the inputs. The closeness of two systems So and Si can be 
measured by introducing a so-called distinguisher. A distinguisher T> is itself a system which cna 
interact with another system and output a bit, B. Assume the distinguisher is connected at random 
either to system So or to Si; after interacting with the system, the distinguisher is supposed to guess 
which of the two systems it is connected to. The distinguishing advantage between system So and 
Si is then defined in terms of the probability of winning this game. 
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Definition 1. The distinguishing advantage between two systems S$ and Si is 



<J(«S ,5i) 



m&x[P(B = 1\S = Si) - P(B = 1\S = S )] 



where the maximum ranges over all distinguishers T> connected to a system S and where B denotes 
the output of the distinguisher. Two systems Sq and S\ are called e-indistinguishable if S(Sq, S±) < e. 

The probability of any event 8, defined in a scenario involving a system Sq cannot differ by more 
than this quantity from the probability of a corresponding event in a scenario where Sq has been 
replaced by <Si. The reason is that otherwise this event could be used to distinguish the two systems. 

Lemma 1. Let Sq and Si be e-indistinguishable systems. Denote by P{£ \Sq) the probability of 
an event £, defined by any of the input and output variables of the system Sq. Then P(£\Sq) < 



The distinguishing advantage is a pseudo-metric, in particular, it fulfils the triangle inequality 



2.2 Modelling key agreement 

The security of a cryptographic primitive can be measured by its distance from an ideal system which 
is secure by definition. For example in the case of key distribution, the ideal system is a perfect 
key generation system which outputs a uniform and random key (bit string) S to both legitimate 
parties (usually called Alice and Bob) but does not leak any information about S to the adversary 
(called Eve). This key is secure by construction. A real key generation system is called secure if it 
is indistinguishable from this ideal one. 

Definition 2. A perfect l-bit hey generation system is a system which outputs two equal uni- 
form random variables Sa and Sb with range S of size |5| = 2^ at two designated interfaces (i.e., 
Ps a Sb ( s a, sb) = 1 / 1 *S" | if sa = sb and otherwise) and for which all other interfaces are uncorrelated 
with Sa and Sb- 

Definition 3. A key generation system is e-secure if the system is e-indistinguishable from a perfect 
key generation system. 

As a consequence of Lemma [TJ the resulting security is composable [PWOlJ, [BPW03J, [CanOlj . 
That is, no matter in what application the key is used, it is as useful as a perfect key, except with 
a small probability e. 

The real key generation system we are interested in is one obtained by running a protocol (tt, it') 
using as underlying resource a public authenticated channel and a pre-distributed quantum state 
(see Figure [TJ. More precisely, Alice and Bob both execute locally a program, tt and tt', to generate 
keys, Sa and Sb, respectively. Furthermore, we model the adversary, Eve, as a program that has 
access to additional interfaces of these resources. The interface to the public channel provides her 
with the entire public communication, Q. Furthermore, she can choose an arbitrary measurement, 
W, to be applied to the pre-distributed quantum state, resulting in an outcome Z. 

Note that, in a realistic scenario, an adversary may access the channel interactively, make mea- 
surements and, depending on the outcomes, decide on further actions. This is, however, captured 
by our model, as the single input W may be interpreted as the encoding of an entire strategy that 
specifies how a real system would be accessed. More precisely, Eve obtains all the communication 
exchanged over the public channel Q, can then choose a measurement W (which can depend on Q) 
and finally obtains an outcome Z. 

In order to derive bounds on the parameter e in Definition [31 we split this parameter in two parts, 
where one corresponds to the correctness (the probability that Alice's and Bob's key are different, 
i.e., P(Sa 7^ Sb)) and the other one corresponds to the secrecy. The latter is quantified by the 
distance from uniform of the key Sa given the information accessible to Eve, i.e., Z(W q ) and Q 
(we write Z(W q ) because the eavesdropper can choose the input adaptively and the choice of input 
changes the output distribution). 



P(£|Si) + e. 




(1) 
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Figure 1: Our rea/ key distribution system 5 rea i (left). Alice and Bob share a public authentic 
channel and a quantum state. When they apply a protocol ir to obtain a key, all this can together 
be modelled as a system. In our ideal system 5;d C ai (right), instead of outputting the key generated 
by the protocol (tt, it'), the system outputs a uniform random string S to both Alice and Bob. We 
will also sometimes use an intermediate system Si n t which is the same as the real system but with 
Sb replaced by Sa ■ 



Definition 4. For a given system as depicted in Figure [IJ the distance from uniform of Sa given 
Z(W q ) and Q is 

d(S A \Z{W q ),Q) = 1/2 - ^2max^2P ZQlw=w (z,q) ■ \P SAlz=Z:Q=qtW=w (s) - Pu(s)\ , 

s,q z 

where Pjj is the uniform distribution over \S\, i.e., Pjj(s) = 1/|5*|. 

The distance from uniform can be seen as the distinguishing advantage between the real system 
and an intermediate system, 5; n t, which is equal to our real system, but which outputs Sa on both 
sides (i.e., Sb is replaced by Sa)- 

The following lemma is a direct consequence of the definitions of the systems in Figure [1] and 
the distinguishing advantage. 

Lemma 2. Consider the intermediate system <Si nt and the ideal system as defined above (see Fig- 
ure [7]). Then 

5(S- mt ,S ideal ) = d(S A \Z{W q ),Q) . 

The correctness of the protocol, i.e., the probability that Alice's and Bob's key are equal, is 
determined by the distinguishing advantage from the intermediate system to the real system, more 
precisely, the probability that the real system outputs different values on the two sides. This is again 
a direct consequence of the definitions. 

Lemma 3. Consider the intermediate system 5i nt and the real system 5 rea i as defined above. Then 

£(«Sreal,«Sint) = ^ Ps a S b ( s A,Sb) ■ 

SAJ^Sb 

Finally, by the triangle inequality JT]) on the distinguishing advantage of systems, we obtain 
the following lemma relating the security of our protocol to the secrecy (measured in terms of the 
distance from uniform) and the correctness. 

Lemma 4. The key generation system depicted in Figure[J\ is e-secure if 

e < d(S A \Z(W q ),Q)+ Ps a s b (sa,sb) ■ 
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2.3 Quantum systems 

The fact that in the above scenario (see Figure [T|), the random variables U, V, W, X, Y, Z correspond 
to the choice of measurements on a quantum state and their respective outcomes imposes a limitation 
on their possible distribution and, with this, on the eavesdropper's attacks. Consider the scenario 
where Alice, Bob and Eve share a tripartite quantum state. They can each measure their part of 
the system and obtain a measurement outcome. We can, of course, also consider the system Alice 
and Bob share tracing out Eve and this still corresponds to a quantum state (the reduced state). In 
accordance with the non-signalling principle, the marginal state Alice and Bob share is independent 
of what Eve does with her part of the state (in particular, independent of her measurement). And 
we can even consider the state Alice and Bob share conditioned an a certain measurement outcome 
of Eve: Alice and Bob still share a quantum state in this case. 

Definition 5. An n-party system Px\Ui where X = {X\ . . .X n ), is called quantum if there exists 
a pure state 6 H = (^^j an d a set of measurement operators {E^.} on Hi such that 

P x]u (x,u) = <V|(g)i^> , 

% 

where the measurement operators satisfy the following conditions 

1. Hermitian, i.e., E%\' = E^. for all Xi,Ui, 

x' 

2. orthogonal projectors, i.e., E^.E u l = E^.5 XiX ^, 

3. and sum up to the identity, i.e., ^2 X . E%* = for all U{. 

Note that the requirement that the operators correspond to projectors and the state to a pure 
state is not a restriction, since any POVM on a mixed state is equivalent to a projective measurement 
on a larger pure state (see, e.g., [NC00| for a proof). 

For any (n + l)-party quantum system, the marginal and conditional systems are also quantum 
systems. 

Lemma 5. Consider an (n + l)-party quantum system Pxz\uw- Then the marginal system 

Px\u( x , u ) ■= ^2Pxz\uw( x ,z,u,w) 

z 

and the conditional system 

Px\u,W=w,z=z(x,u) := — - P xz \ uw (x,z,u,w) 

^Z\W=w\Z) 

are n-party quantum systems. 

This follows, of course, directly from the properties of quantum systems. However, as an illus- 
tration, we give a direct proof in our framework. 

Proof. Let be the state and {E^} the measurement operators associated with the original 
system. For the marginal system, take the same state and the measurement operators {E^} for 
all i < n. The measurement operator associated with the n th party are {E^™ 1-H n+1 }. They fulfil 
the requirements because they are part of the requirements of the operators of the (n + l)-party 
quantum system. For the conditional system take the state , 1 l^i „ ® where 

n = &™ =1 1% and the measurement operators {E^}. □ 

Lemma [5] directly implies that any measurement of Eve on her part of the system induces a 
convex decomposition of Alice's and Bob's system into several conditional quantum systems. 
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Remark 1. Every input to an (n + l)-party quantum system, Pxz\uw> corresponds to a decompo- 
sition of the marginal n-party system Px\u such that 

Px\u = Y<P Zp x\U' 

z 

where p z := Pz\w=w( z ) is a probability and P x \u := Px\u,w=w,z=z is a quantum system. 

3 Bounding the Set of Quantum Systems by Semi-Definite Pro- 
gramming 

In [NPA07] . Navascues, Pironio and Acfn give a criterion in terms of a semi-definite program (see, 
e.g. [BV041 IBTNOlj for an introduction to semi-definite programming) which any quantum system 
must fulfil (see also |NPA081 [DLTW08] ) . The idea is that if a system is quantum, then it is possible 
to associate a matrix T with it which needs to be positive semi-definite. We will use the notation 
r >z to denote positive semi-definite matrices. T can be seen as the matrix defined as follows. 

Definition 6. A sequence of length k of a set {E^. : x% 6 %i,Ui 6 Ui, i £ 1, . . . , n} is a product of k 
operators of this set. The sequence of length is defined as the identity operator. 

Definition 7. The matrix T k is defined as 

r£. : = (tfiojo,-!*) , 

x' 

where Oi = E^™ ■ E u " • • • is a sequence of length at most k of the measurement operators \E®j}. 

In the above notation we consider the measurement operators as operators on the whole Hilbert 
space %. These operators must, of course, fulfil the conditions of Definition [5] (i.e., they must be 
Hermitian orthogonal projectors and sum up to the identity for each input) and they must commute. 
Note that in finite dimensions, commutativity is equivalent to the tensor product structure as in 
Definition (see, e.g., [Weh08j for an explicit proof of this). 

The requirements the measurement operators fulfil (Definition [5]) translate into requirements on 
the entries of the matrix T k . For example, certain entries must be equal to others or the sum of 
some must be equal to the sum of others. 

In order to decide whether a certain system is quantum, we can ask the question whether such a 
matrix F k exists; because if it is, it must be possible to associate a matrix T (as in Definition [7]) with 
it, which is consistent with the probabilities describing the system and fulfil the above requirements. 
The problem of finding a consistent matrix T k is a semi-definite programming problem. 

Theorem 1 (Navascues, Pironio, Acm |NPA07j ). For every quantum system Px\u an d k there 

exists a symmetric matrix T k with T k j = (^\0\Oj\^>) and where Oi = E£™ ■ E^J 1 ■ ■ ■ is a sequence of 
length k. Furthermore, 

A qh ■ T k = and 
T k y , 

where is defined by the conditions 

• orthogonal projectors: (*|0£g«£^0'|*) - (^\OE^5 XiXf p'\^) = 

• completeness: J2 Xi {^\OE^.O'\^) - (*|00'|*) = for all m 

• commutativity: (#|0£^£^0'|#) = (*|0#^'£^0'|*) for i ^ j, 

where O and O' stand for arbitrary operator sequences of the set {E^}. 

F k is called quantum certificate of order k associated with the system Px\u- 



6 



Proof. Orthogonality, completeness and Hermiticity follow directly from Definition Let us see 
that the matrix is positive semi-definite. For all v £ C m 

v T T k v = ^2 vfT k ijVi = ^2 < v j = > 

ij ij 

where V := Yli v i^i- Finally, the matrix can be taken to be real, because for any complex T fc , the 
matrix (T k + T k )/2 is real and fulfils the conditions. □ 

We do not require this matrix to be normalized. Note that the matrix T k contains, in particu- 
lar, the (potentially not normalized) probabilities Px\u( x i u ) associated with an n-party quantum 
system, for n < 2k. 

In [NPA081 [DLTW08] . it is shown that if for all k — > oo a certificate of order k can be associated 
with a certain system Px\Ui then this system is indeed quantum. More precisely, it corresponds to a 
quantum system where operators associated with different parties commute, but do not necessarily 
have a tensor product structure. For any finite dimensional system however, commutativity implies 
a tensor product structure. See, e.g., [DLTW08] for an explicit proof of this. 

4 Min-Entropy Bound for Single Systems 

It will be our goal to show the security of a key-distribution protocol of the form as given in Figure [TJ 
The crucial part hereby is to bound the probability that an eavesdropper interacting with her part 
of the quantum state can correctly guess the value of Alice's raw key X, since this corresponds to 
the min-entropy, by the following theorem. 

Theorem 2 (Konig, Renner, Schaffner [KRS09J). Let pxE be classical on %x- Then 

H m i n {X\E)p = — log 2 P zuess (X\E) p , 

where p gness (X\E) p is the maximal probability of decoding X from E with a POVM {E X E } X on He, 
i.e., 

P gueS s(X\E) p := max YVtr^fpfj) . 

This implies that, in order to bound the min-entropy, we can equivalently bound the guessing 
probability. Once the min-entropy is bounded, a secure key can be obtained using standard tech- 
niques, such as information reconciliation [BS93] and privacy amplification, which work even if the 
adversary holds quantum information [RK05J IRen05| . 

In this section, we will see how it is possible to determine the security of a single system (corre- 
sponding to a single measurement of Alice and Bob) by a semi-definite program. In Section [5l we 
will see that the security of many systems, and therefore of the key distribution scheme, directly 
relates to the security of the single system. 

In the following, we will often consider a (2n + l)-party quantum system Pxyz\uvw ( as wen 
as its marginals) where U = {U\...U n ) and X = (X\...X n ) are Alice's inputs and outputs, 
V = {V\ . . . V n ) and Y = {Y\ . . . Y n ) are Bob's inputs and outputs, and W and Z Eve's input and 
output. The fact that Eve only has a single input and output reflects the fact that Eve may perform 
a joint attack, which means that she would not necessarily measure her subsystems individually. 

4.1 A bound on the min-entropy 

We will, in the following, study the scenario where Eve can choose an input W, depending on some 
additional information Q, and then obtains an output Z (depending on W). She should then try to 
guess a value f(X) of range T . In particular, this function / can, of course, be the identity function 
on the outputs on Alice's side. 
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Definition 8. The guessing probability of f{X) given Z{W) is 



P g ne SS (f(X)\Z(W),Q) = J2m&xJ2 p ZQ\w=w(z,q) ■ m&xP f{X )\z=z,Q=q,w= w (f(x)) , 

q W z fi - X > 

where the maximization is over all w such that Pxz\uw 1S a quantum system. The min- entropy of 
f(X) given Z(W) is 

H min (f(X)\Z(W),Q)) = -log 2 P gness (f(X)\Z(W),Q)) . 

Remark [1] gives a bound on the probability that a quantum adversary can guess Alice's outcome 
by the following maximization problem. (We assume that the inputs u are public, i.e., Q = (U = 
u,F = f)) 

Lemma 6. The value of P guess (f(X)\Z(W),Q) where Pxz\uw is a (n + \)-party quantum system 
and Q = (U = u) is bounded by the optimal value of the following optimization problem 



max: ^p z ^ P xlu (x.u) 



z=l x:f(x)=z 

B-t.: Px\u = Y,P Z ■ P x\u 

2 = 1 

Px\u n -P ar ty quantum system, for all z . 

Proof. The first condition follows by the definition of the marginal system and the second by the fact 
that for any (n + l)-party quantum system the conditional systems are ra-party quantum systems 
(see Lemma [5]). The objective function is the definition of guessing probability. It is sufficient to 
consider the case \Z\ = \ J- \ because any system where Z has larger range can be made into a system 
reaching the same guessing probability by combining the system where the same value f(X) has 
maximal probability. By the convexity of quantum systems, this is still a quantum system. □ 

The criterion discussed in Section [3] allows to replace the condition that P X y\uv ls a q uan tum 
behaviour by the condition that a certain matrix is positive semi-definite. We can now bound Eve's 



guessing probability by a semi-definite program. A similar bound has been obtained in PAM + 10 
in the context of device-independent randomness expansion. 

Lemma 7. The maximum guessing probability of f(X) given Z(W) and Q := (U = u, F = f) is 
bounded 

P sne88 (f(X)\Z(W),Q) < J>^ r2 ' 

2 = 1 

where ^t='i ' T z is the optimal value of the semi-definite program 



max : 



2 = 1 x:f(x)=z 



E TZ ^ u ) ( 2 ) 



s.t. : A qb • T 2 = for all z 

r z y o 

Ep2 pfc 
marg 



2 In the following, we sometimes write matrices as vectors by writing each column 'on top of each other'. When we 
write that a vector needs to be positive semi-definite, we mean that the matrix obtained by the inverse transformation 
must be positive semi-definite. 



where T z (x,u) denotes the entry of the matrixT z corresponding to (^IHj E^E^\^f) , i.e., the prob- 
ability P^-,jj(x,u); b z is a matrix of the same size as T z and it has a 1 at the positions where T k 



has the entry {^}\0\Oi\ij}) , where Oi = Yim^u^, suc ^ that f(x) 
order k associated with the marginal system Px\u- 



marg 



denotes the certificate of 



Proof. This follows from LemmaEl the fact that any quantum system P x \u nas a quantum certificate 
of order k and J2 Z E^ = 1. □ 

The primal and dual program can be expressed as: 



PRIMAL 

max : 



s.t. 




(3) 



T,- >- for all % 



DUAL 



mm : 



L marg ' A |J 7 — 1 



(4) 



s.t. : 



^qb 



1 



••• ^b 1 



/ Ax \ 



V a i^i+i / 




\; unrestricted 



We note that any dual feasible solution gives an upper bound on the guessing probability (linear) 
in terms of the matrix r marg associated with the marginal system of Alice and Bob. Furthermore, 
the dual feasible region is independent of Alice's and Bob's marginal system, it only depends on the 
number of inputs and outputs and the step in the semi-definite hierarchy considered. 

However, the matrix r marg contains entries which do not correspond to observable probabilities 
and are only known if the state and measurement operators are known. It will be the goal of the 
next section to express the guessing probability in terms of observable quantities. 



4.2 A min-entropy bound in terms of observable probabilities 

Certain entries of the matrix r^ arg do not correspond to observable probabilities and it is, therefore, 
impossible to know their value by testing the system. In this section, we will modify the above 
optimization problem in such a way as to get a solution only in terms of observable probabilities. 
More precisely, we will modify the optimization problem to take the 'worst' possible quantum cer- 
tificate consistent with observed probabilities. This leads to the following, modified, semi-definite 
program. The matrix A\j is defined such that multiplied with a quantum certificate the observable 
probabilities are obtained, i.e., Atj • T k = Px\u (where Px\u denotes here the vector containing the 
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values P x \u{ x i u ) f° r au x,u). 



PRIMAL 

max : 



(5) 



s.t. : 



qb 





1 

V o 









^4 q b 
1 -1 
A u ) 



v ■>- o v k 

i — J 1 marg 



\ pfc / 

\ marg / 

unrestricted 








V Px\u j 



DUAL 
min : 



/A? 



s.t. 



qb 





\ o 





A T 





A 



1 \ 
1 

iJ \ A|JT| +2 / 

A 9 - unrestricted 



A 



( b i \ 

V o / 



(6) 



Note that we have changed r marg to be a variable (instead of a constant). Obviously T marK y 



holds because it is the sum of positive semi-definite matrices. 



marg 



Lemma 8. If Xi,... , A|jr| +2 are dual feasible for then X±, . . . , Aiw +1 are dual feasible for 
with the same objective value. 



Proof. We use the fact that Au ■ T 



holds that A[j • A|jr| +2 



marg 



Px\u- Since Ai, . . . , Am +2 are dual feasible for ([U]), it 



A 



jr| +1 . Therefore, 



marg 



• A 



^l+i 



1 marg ^IJ A 



1-^1+2 
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• A 



\T\+2 



□ 



Lemma [8] implies that any dual feasible solution of © gives an upper bound on the guessing 
probability linear in terms of the observable probabilities. In terms of the min-entropy we obtain 
the following corollary. 

Corollary 1. For any dual feasible X, 

H min (X\Z(W)) < -log 2 (P£ |[7 • A m+2 ) . 

Example 1. Consider a bipartite quantum system with binary inputs and outputs given by the 
mixture of the system in Figure with weight 1 — p and a perfectly random bit with weight p 
(this could be achieved by measuring a mixture of a singlet and a fully mixed state, i.e., the state 
(1 — p) • \^~) (^^1 + p ■ using the measurements Uq, U\, Vo, V\ given in Figure 0]). The guessing 
probability of the output bit X as function of the parameter p is given in Figure l3l 3 l 



The data plotted in Figure[3]has been obtained by solving numerically, using the programs MATLAB®, Yalmip 
and Sedumi [MAT081 IStuSSl ILof04| . 
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Figure 2: The probabilities associated with a 
quantum system obtained by measuring the 
singlet state using the bases Uq, 17%, Vo, V\ of 
Figure [H 
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Figure 3: The bound on the guessing proba- 
bility of the measurement outcomes of Exam- 
ple m 



5 Min-Entropy Bound for Multiple Systems 

We can now show our main technical result, namely that the above semi-definite program describing 
the guessing probability has a product form if the measurements on different subsystems commute. 
Roughly, we will show the following: consider a system Pxy\uv associated with a single pair of 
systems and the matrix T k associated with the k th step of the hierarchy , fulfilling A q b ■ T k = 0. 
Then with two pairs of systems it is possible to associate a matrix r /fc living in the tensor product 
space of two T k . Furthermore, this matrix must fulfil (1 (g> A q b)T' k = 0. 

5.1 Conditions on several quantum systems 

The goal of this section is to express the constraints that hold for a multi-party quantum system in 
terms of the constraints on its subsystems. 

Definition 9. Assume an (n + m)-party quantum system. The reduced quantum certificate of order 
k is the matrix T' k l+m , defined as 

(r'n+mk = moiolo h o h \v) , 

where i = I ■ {i\ — 1) + 12, J ' = I ■ (ji — 1) + ji and / is the number of rows of a quantum certificate 
of order k for the ra-party quantum system. is the operator associated with the i th row of the 
quantum certificate of order k of the marginal n-party system (and similar for Oj 2 and the m-party 
system). 

Lemma 9. T' k l+m >z 

Proof. This follows directly form the fact that T' k l+m is a sub-matrix of the (2k) th order quantum 
certificate associated with the (n + m)-party quantum system. □ 

The main insight, which will lead directly to the product theorems, is the following lemma. 

Lemma 10. Let Px 1 \Ui ^ e an n-party and Px 2 \U2 an m-party quantum system. Call the associated 
certificates of order k T k and T k and write the linear conditions they fulfil as ^4 q b,i • ^\ = 0, and 
^qb,2 • r?> = 0. Then the reduced quantum certificate of order k associated with the (n + m) -party 
quantum system, fulfils 

(A q h,i <8> t T h) ■ T' k n+m = and (l r * (8) A qh}2 ) ■ V n+m = . 
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This can be interpreted the following way: even conditioned on any specific outcome of the 
second system, the first system must still be a quantum system. 

Proof. The matrix j4 q b,i contains entries of the form (vl/|Oi 1 Oj 1 |\I r ) — (^>\O^Ojt = which all 
operators associated with an n-party quantum system must fulfil, because 0^0 j 1 — O^ Oy = 0. By 

the definition of r'^ +m , (^4 q b,i <8 lp*) • T'^ +m contains conditions of the form 

(¥| O n O l2 O n O n |*> - <tf| O t ,p t2 O n O^ |*) 

= (*|(O 4l O il -O il O J ./)O i9 O ia |*) = 

where we have used the fact that operators associated with different parties commute, linearity, and 
the fact that the operators associated with an (n + m)-party quantum system must still fulfil the 
conditions associated with a single system (as stated in Definition [5]) . □ 

5.2 A product lemma for the guessing probability 

Using this property, we can show the product lemma (Theorem 0]) for the guessing probability (for 
more details we refer to [HanlO]). 

Lemma 11. Consider the semi-definite program |2J) defined by A\,b\,c%, bounding the guessing 
probability of f{X\) of an n-party quantum system Pxi\Ui> where Q\ = (TJ\ = U\,F = /). And 
similarly, associate A2,&2 ; c 2 with an m-party quantum system Px 2 \u 2 7 where g{X2) and Q2 = 
(U2 = U2,G = g). Then the guessing probability of f(X 1) || g{X2) (denoting the concatenation) 
of the (n + m)-party system Px 1 x 2 \u 1 u 2 where Q = (U = u,F = f,G = g) is bounded by the 
semi-definite program A, b, c with b = b\ ® 62, A = A\ <8 A2 ■ 

Proof. This follows form the fact that any (n + m)-party quantum system must fulfil Lemma [TU1 and 
that bi ® bj has a 1 exactly at the entry associated with {%l)\0\o\020i\ijj) , where 0\ is the operator 
associated with the probability of the outcome x\ mapped to a certain f(x\), and similarly for O2 
and (7(2:2). □ 

Consider now the dual of this 'tensor product' problem. We will use a product theorem from [MS07 
(see also [LM08] ) to show that for any dual feasible A (for a single system) , A <8 • • • ® A is dual feasible 
for the dual of the tensor product problem, therefore, forming an upper bound on the guessing 
probability. 

Theorem 3 (Mittal, Szegedy |MS07| ). Consider the semi- definite program min : cJ-Xi, s. t. : A± X\ — 
61 y and a feasible Xi, and similarly for A\ ,6 2 ,c 2 , A2. Assumebi >z and 62 >z 0. Then X = Ai<8A 2 
is feasible for the semi-definite program min : (c\ (g) C2) T ■ A, s. t. : (A% ® A 2 ) T A — (b\ (8 62) ^ 0. 

Proof. We use the fact that for a A such that A T X — b^O, where b >z 0, it holds that A T X — b + 2b = 
A T X + 6^0 because we consider a convex cone. The tensor product of two positive semi-definite 
matrices is positive semi-definite. We obtain 

(Aj Ai - bi) <g> (A2 A 2 + b 2 ) = A^X\ 8) A\ A 2 - h ® A\ A 2 + A\Xy <8 b 2 - h <8 b 2 h 
(Aj Ai + 61) ® (A2 X 2 - b 2 ) = A\ Ai <8 A\X 2 + h <g> A\X 2 - A\ Ai <g> b 2 - h (8 b 2 h . 

Adding the two inequalities and dividing by two, implies that 

AjXi (8) A\X 2 - bi (8) 6 2 = (Af (8 A[ )(Ai <8> A 2 ) - h <8> 62 >: , 

which means that Ai (8 A2 is feasible for the product problem. □ 

Lemma 12. Let Ai &e a dual feasible solution ^ defined by A±,bi, c\ (see Lemma[Tl\), and similarly 
for X2 and A2 , 62 > C2 • Then X = X± (8 A2 is dita/ feasible for A,b,c where A = A\ (8 A2 and b = b\ <8 62 ■ 
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Proof. Note that b{ is of the form 

/ ... 0\ 

1 0--0 

V ••• J 

i.e., it has a 1 in the place where the matrix T has the entry (^/\E^ E^\^) for f(x) = i and 
everywhere else. It, therefore, only has positive entries on the diagonal and everywhere else. 
Clearly, foj y 0. The claim then follows by Theorem [3l □ 

We can now formulate the product lemma for the guessing probability. 

Theorem 4 (Product lemma for the guessing probability). Let Px^Ui be an n-party quantum 
system and f{X\) a function f : X\ — > T such that P gness (f(Xi)\Z(W),Q) < P X i\Ui ' Ab w here 
Q = (Ui = u\,F = f). Similarly, associate the guessing probability P guess (g(X2)\Z(W, Q) < 
Px 2 \u 2 ' ^ 2 with an m -V ar ^D quantum system Px 2 \U2 w here Q = (U2 = U2,G = g). Then the 
guessing probability of f{Xi)\\g(X2) obtained from the (n + m) -party quantum system Px 1 x 2 \u 1 u 2 
with Q = (U\ = ui, U2 = U2, F = f, G = g) is bounded by 

P SVi e SS (f(X 1 )\\g(X2)\Z(W) 1 Q) < Pjkx^tfe • (Ai ® A a ) . 

Proof. This is a direct consequence of Lemma [12j □ 

When the marginal system is of the form Px^Ui ® Px 2 \u 2 i this implies that the guessing proba- 
bility is the product of the guessing probabilities of the two subsystems. In terms of the min-entropy, 
it implies that the min-entropy is additive. 

Corollary 2. Let P x \u = ® n P x\u- Then 

H min (X\Z(W)) = n ■ H min (X\Z(W)) 



6 Security under an Independence Assumption 

We have, in the previous sections, established all tools required for proving the security of quantum 
key distribution. The proof will consist of two steps. In the first, we will show that, using the above 
lemmas, we can have secure key distribution if the marginal distribution as seen by Alice and Bob 
looks like the product of several (identical) independent systems. In the next section, we will remove 
the condition of independence, because knowing that we are in a permutation invariant scenario, 
we will be able to relate the security of an arbitrary distribution to the security of independent 
distributions. 

Roughly speaking, an entanglement-based quantum key distribution protocol proceeds along 
the following steps (we assume here, that Alice and Bob start with pre-distributed particle pairs 
described by a system P X y\uv 

• Parameter estimation: Alice and Bob obtain a system P X y\uv ^ n or der to be able to bound 
Eve's knowledge about the raw key, they need to estimate the probability distribution Pxy\uv 
of the individual systems. 

• Information reconciliation: Alice sends some information about her raw key to Bob, such that 
he can correct the errors in his raw key. 

• Privacy Amplification: Alice and Bob apply a public hash function to their raw keys in order 
to create a highly secure key. 

In the following we describe each of these steps in more detail and prove the technical results 
that will then constitute our security proof. 
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6.1 Parameter estimation 



Alice and Bob perform statistical tests on their system Pxy\uv in orc ^ er to estimate the probability 
distribution Pxy\uv °f the individual systems. They abort, if this distribution deviates from the 
desired one. 

The parameter-estimation protocol makes sure that only systems are accepted which have enough 
min-entropy, such that the final key will be secure. 

Definition 10. A parameter estimation protocol is said to e-securely filter systems Pxy\uv 01 a 
set P if on input Pxy\uv ^ P the protocol outputs 'abort' with probability at least 1 — e. It is said 
to be e' -robust on systems Pxy\uv °f a set P if on input Pxy\uv £ P the protocol outputs 'abort' 
with probability at most e'. 

Protocol 1 (Parameter estimation). 

1. Alice and Bob receive a system Pxy\uv = Pxy\UV 

2. Alice chooses u such that for each i with probability 1 — k, Uj = Ui, where u denotes the input 
on which a raw key bit is generated. With probability k, she chooses U{ uniformly at random 
amongst U. 

3. Bob chooses v such that Uj = V{ with probability 1 — k and with probability k, Vi is chosen 
uniformly at random. 

4. They input u and v into the system and obtain the outputs x and y. 

5. They exchange the inputs over the public authenticated channel. 

6. If less than (1 — k) 2 pn inputs were (u,v), they abort. 

7. Call t the number of inputs where both chose not u and v. If any combination u, v occurred 
less than /c 2 pn/|£/||V| times they abort. 

8. From the inputs where they both chose a uniform input they estimate the distribution by 
Pxyuv( x iVi u -> v ) = \\{Ai x iiyh u ii v i) = ( X ,V, U , V )}\- Define P as the set of all Pxyuv such 
that \U\\V\ ■ Pxyuv ' A ^ P guess for some dual feasible A (see ©) and P(X ^ Y\U = u, V = 
v) < 5. If d{PxYuv> Pxyuv) ^ V Alice and Bob abort, else, they accept. 

We are now introducing some definitions which are used for the analysis of this protocol. 

Definition 11. Let P be a set of distributions Pxyuv- The set of systems P* 1 are all distributions 
which have distance at least r\ with the set P, i.e., 

P v = {P X YUv\d(PxYUV,PxYUv) >V for all PgyuyeV} 

Definition 12. Let P be a set of distributions Pxyuv- The set of systems P -11 are all distributions 
which have distance at least r/ with the complement of the set P, i.e., 

P~ v = {PxYUv\d{P X Yuv, P^yuv)>V for all P^yuv^P} 

We further define the set of conditional systems which are r/-far or 77-close to a certain set by the 
closeness of the distributions which can be obtained from them by choosing the input distribution 
to be uniform. 

Definition 13. Let "Pcond be a set of systems Pxy\uv ^ or w ^ system Pxy\uv-> consider the 
distribution Pxyuv = Pxy\uv l\U\\V\- Then a system Pxy\uv is in P^ ad if Pxyuv G P 11 and 
P XY \uv is in P;Z d if Pxyuv e V~ r > '. 
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Let us motivate, why we take exactly this definition of V^ ond : the reason is, that it is useful to 
estimate Pxy\uv^ wnere Pxy\UV * s ^ e vec ^ or °f an probabilities in the conditional distribution 
and A is some vector. This is in fact exactly the form of the bound on the guessing probability. 

Lemma 13. Let V = Pxy\uv- P° r a ^ P\y\uv & ^cond> ^ holds that 

p 1y\uv T ■ x - p xy\uv ■ x < Pxy\uv T -X+\U\\V\- V - (l>*lY 



Proof. 



p xy\uv T ~ P xy\uv) ■ A = \U\\V\-P xyuv T X-\U\\V\-Pxyuv T -X 



= \U\\V\-[P xyuv T -Pxyuv t )-X 
< |W||V|-i7-fewV 



□ 



We will need the Sampling Lemma (Lemma [14"]) to show that our protocol is secure, i.e., it 
e-securely filters input states with -P gue ss > -Pguess + |^||V| • r\ ■ ^ |Aj| for the individual systems. 

Lemma 14. Sampling Lemma 1KR05\j Let Z be an n-tuple and Z' a k-tuple of random variables 
over a set Z, with symmetric joint probability Pzz' ■ Let Q z * be the relative frequency distribution 
of a fixed sequence z' and Qt ZiZ 'j be the relative frequency distribution of a sequence (z,z'), drawn 
according to Pzz 1 ■ Then for every e > we have 



Pzz'[\\Q(z,z')-Qz'\\ >z}< \Z\-e 



-fee 



■2 , 



"Pccmd J With 



e = \X\\y\\U\\V\ ■ e \ wmr] 
where t' = k 2 pn/\U\\V\. 

Proof. If for each of the conditional distributions Pxy\u=u,v=v the estimate is within n, this also 
holds for the total distribution Pxyuv- By Lemma [T4"l the probability that for any conditional 
distribution the estimate is r\- far is at most \X\ \y\e- t>r i 2 l*\x\\y\^ w here f = k 2 pn/\U\\V\. We obtain 
the lemma by the union bound over all inputs. □ 

Note that e £ 0(2~ n ) for any constant < k,p < 1 and n > 0. 

Lemma 16. Protocol\7\ is e' robust on (•p-»?) lXm with 



e' 



(i-p)fc 



2 



|Af||y||W||V|-e W+e-^NM) 1 ) +\U\\V\-e \ |M||V| 
where t' = k 2 pn/\U\\V\. 

Proof. This follows by the same argument as Lemma [15] and a Chernoff bound (i.e., Pr[^ Yli x i — 
p — e] < e~ 2ne2 ) on the probability that the protocol aborts because any of the inputs did not occur 
often enough. □ 

It holds that e' E 0(2~ n ) for any constant < k,p < 1 and rj > 0. 

Lemma 17. The protocol e-securely filters systems with P gue ss > -Pguess +?/ for the individual system, 
where rf = \U\\V\ ■ rj ■ ^ |Aj|. 
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Proof. This is a direct consequence of Lemma [TS] and Lemma [TB] and the fact that the guessing 
probability is given by Pxy\UV^' see ©• ^ 

Lemma 18. The protocol e-securely filters systems with 5 > 5 + rj for the individual systems. 

Proof. This follows from the definition of V^ d . □ 

Lemma 19. Assume the parameter estimation protocol e-securely filters inputs such that 
-Pguess > -fguess + v' f or individual systems. Then it e-securely filters systems with H m [ n (X\E) p < 

— n log 2 -Pguess- 

Proof. This follows from Theorem [2] and the product lemma for the guessing probability (Lemma [12]). 

□ 



6.2 Information reconciliation 

Having estimated the probability of error 5 of their key bits in the previous section, Alice and Bob 
can do information reconciliation by applying a two-universal hash functional with output length m 
bits, where m = n ■ h(5) + e and they can almost surely correct their errors, i.e., the keys will be 
equal apart from with exponentially small probability. 

Definition 14. Let V be a set of distributions Pxy- An information reconciliation protocol is 
e-correct on V, if on input Pxy £ V it outputs x' , y' such that x' ^ y' with probability at most e. 
It is e' -robust on V, if on input Pxy £ V it aborts with probability at most e' . 

Protocol 2 (Information reconciliation). 

1. Alice obtains x and Bob y distributed according to P^ Y with X = y = {0, 1} and P(X ^ 
Y) < 5. Alice outputs x' = x. 

2. Alice chooses a function / G T : {0, l} n — > {0, l} m at random, where J 7 is a two-universal set 
of functions. 

3. She sends the function / and f(x) to Bob. 

4. Bob chooses y' such that d}{(y,y') is minimal among all strings z with f(z) = f(x) (if there 
are two possibilities, he chooses one at random) and outputs y'. 

The following theorem by Brassard and Salvail states that information reconciliation can be 
achieved by a two-universal function. We state the theorem with s slightly stronger bound on the 
error probability than the one originally given in [BS93J. 

Theorem 5 (Information reconciliation [BS93|). Let x be an n-bit string and y another n-bit string 
obtained by sending x over a binary symmetric channel with error parameter 5. Assume the function 
f : {0, l} n —> {0, l} m is chosen at random amongst a set of two-universal functions. Choose y' such 
that dji(y,y') is minimal among all strings r with f(r) = f(x). Then, for any k > 0, 

Pr[a; ^ y'} < e^ 2 ' 71 + 2 n - h ^)-m ^ 

where h(p) = —p ■ log 2 p — (1 — p) log 2 (l — p) is the binary entropy function. 

information reconciliation using a two-universal hash function has the disadvantage, that the decoding procedure 
(i.e., for Bob to find y') cannot be done in a computationally efficient way, in general. It is possible to use a code 
for information reconciliation instead and there exist codes which can be efficiently decoded [Hol06| . However, in our 
setup the theoretical efficiency of the decoding procedure is actually not important, as there exist codes with very 
good decoding properties in practice and Alice and Bob can test whether they have correctly decoded using a short 
hash value of their strings. In case decoding does not succeed, they can repeat the protocol, resulting in some loss of 
robustness. 
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Proof, x 7^ y' if either dn{x,y) is large or if /(a?) = f(y'). The probability that the strings a? and 
2/ differ at more than n{5 + re) positions is bounded by 

Pr[d H (x,y)]>n-(5 + K )}<e- 2K2 - n . 

The probability a y' ^ x with small du{x,y') is mapped to the same value by / is 

n(<5+re) 

Pr[f(x) = f(y'),d H (x,y')<n(5 + K)} < 2~ m • £ 

i=0 

The theorem follows by the union bound. □ 
Lemma 20. The protocol is e-correct on input Pxy su °h that P(X ^ Y) < 5 where, for any k > 0, 

g 2n 2 -n i 2^'^(<5+^)— m 

and 0-robust on all inputs. 

Proof. Correctness follows directly from Theorem [5j Robustness follows from the fact that there 
always exists a y' such that f(y') = f(x). □ 

For any re > and m > n ■ h{5 + re), this value is 6 0(2 _n ). 

When some information about the raw key is released — such as, for example, when Alice and 
Bob do information reconciliation — the min-entropy can at most be reduced by the number of bits 
communicated, see |Ren05| . 

Theorem 6 (Chain rule [Rcn05]). Let pxEC ^ e classical on C . Then 

H-min{X\E , C) p > H m i n (X\E) p — H mSLX (C) > H m - m (X\E) p — m , 
where m = log 2 |C| is the number of bits of C . 




6.3 Privacy amplification 

In order to create a highly secure key from a partially secure string, Alice and Bob will do privacy 
amplification i.e., apply a two-universal hash function to their raw keys. The distance from uniform 
of the final key string is given by the following theorem. 

Theorem 7 (Privacy amplification [RKQU IRen05| ) . Let pxE be classical on %x and let J 7 be a 
family of two-universal hash functions from \X\ to {0, 1} S . Then 

d(p F (X)EF\EF) < VtrpxE ■ 2^ {h ^xe\e)- s ) < 2~^ h ^pxe\e)- s ) . 



6.4 Key distribution 

We can now put everything together to obtain a key-distribution scheme. A key-distribution protocol 
should be secure. This means that it should output the same key to Alice and Bob {correctness) and 
Eve should not know anything about the key {secrecy). Furthermore, the protocol should output a 
key when the adversary is passive, i.e., it should be robust. 

Protocol 3 (Key distribution). 

1. Alice and Bob receive P®y, uv 

2. They apply parameter estimation using Protocol [TJ 

3. They do information reconciliation using Protocol [2j 
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4. Privacy amplification: Alice chooses a function / : {0, 1}™ — > {0, 1} S E T from a two-universal 
set and sends / to Bob. Alice outputs f(x) and Bob f(y')- 

Lemma 21. Protocol^ is e-secret with e G 0{2~ n ) and e' '-correct with e' E 0(2~ n ) for m > n • h{5) 
and s = q ■ n < log 2 -P gU ess — m/n. It is e" -robust on (J>~v^ n w ah e" G 0(2~ n ). 

Proof. This is a direct consequence of the fact that each step in the protocol is secure (Lemma [T51 
Lemma 1201 and Theorem [7]), taking into account Theorem [6l Robustness follows from the robustness 
of the parameter-estimation protocol, Lemma [16j □ 

The secret key rate is the length of the key S that the protocol can output and still remain 
secure. We obtain the following. 

Lemma 22. The scheme reaches a key rate q of 

q = - log 2 P gU ess - h(S) 
Lemma 23. The scheme reaches a positive key rate q whenever 

- log 2 P gU e SS - h(S) > 

7 Removing the Assumption of Independence 

We have seen that Alice and Bob can do key agreement (i.e., they either agree on a secret key or 
abort) if they share i.i.d. distributions. We now want to remove the requirement of independence. 

A special case is the one where Alice and Bob have two inputs and two outputs, i.e., their system 
violated the CHSH inequality [CHSH69J. In this case, there exists a (classical) map which they can 
apply to their inputs and outputs such that the system afterwards actually is i.i.d. more precisely 
a convex combination of i.i.d. distributions [MAG06, MRW + 09]. The systems obtained this way, 
furthermore still violate the CHSH inequality by the same amount |f| 

In general, we do not know of such a map to transform arbitrary systems into product systems. 
Nevertheless, we will be able to relate the security of the key-distribution scheme on any input to the 
security of the scheme on product inputs Pxy\uv = Pxy\uv ' ^ or wn i cn we have already seen that 
it is secure, in Section [6) The reason is that we know that security is 'permutation invariant' under 
the systems because each step of the protocol — parameter estimation, information reconciliation 
and privacy amplification — is permutation invariant^. The post-selection theorem allows us to 
relate security of permutation invariant states to the security of product states. 

The post-selection theorem tells us that any permutation-invariant state can be obtained from the 
convex combination of i.i.d. (product) states by a measurement, and furthermore this measurement 
'works' sufficiently often. Therefore, if our key-distribution scheme is secure for product distributions, 
it is still 'almost as secure' on a permutation invariant one. 

Technically, the post-selection technique [CKR09J gives a bound on the diamond norm between 
two completely positive trace-preserving maps (i.e., quantum channels) acting symmetrically on an 
n-party system. The diamond norm is directly related to the maximal probability of guessing 
whether one or the other map has been applied (on an input of choice), through the formula p = 
1/2 + 1/4||£ — J 7 !^ (i.e., the distinguishing advantage is then 1/4||£ — J 7 ^.) Therefore, it is especially 
useful in the context of cryptography, where usually a real map is compared to an ideal map — such 
as one that creates a key that is secure by construction. While the diamond norm is defined as a 
maximization over all possible input states, the post-selection technique tells us that in the case of 
permutation invariant maps it is enough to consider them acting on a de Finetti state, i.e., a convex 
combination of product states r-^n = J af^^{ay), where \x is the measure induced by the Hilbert 
Schmidt metric. Let us now restate the main result of [CKR09J. 

A similar map also exists for the generalization of the CHSH inequality, the Braunstein-Caves inequalities [BC90] . 
6 Otherwise permutation-invariance could be enforced by applying a random permutation on the systems at the 
beginning. 
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Theorem 8 (Post-selection [CKR09J). Consider a linear map from End(n® n ) to End(H')0 If for 

any permutation tt there exists a CPTP map fC n such that A o 7r = K, n o A, then 

||A||o < g n ,d\\(^ ^ ^n)TH"n\\i , 

where denotes the identity map on End(7£) and g n4 = ( n+ f -1 ) < + l) 4 * 2-1 , where d = dixaH. 
For our purposes, this means roughly 

Vt[E(<t*) = insecure] < (n + l)^ 2 " 1 ) J Pi[£{a® n ) = insecure]d<r , 

where a 1 * is a permutation invariant input and £ denotes the event that the scheme is insecure. 
The very right-hand side is what we have analysed in the previous section and because this is 
exponentially small, it remains exponentially small even when multiplied by the polynomial factor 
in front of it. 

In our case, a represents the system Pxy\uv- We, therefore, need to model Pxy\uv °y a quantum 
state (note that this is only a mathematical tool and does not have any physical meaning). More 
precisely, we represent the distribution Pxyuv by a. Since our parameter estimation protocol is 
such that it filters the conditional distribution independently of the input distribution (it aborts if 
any input does not occur often enough), this is equivalent. 

Lemma 24. Let Pxyuv be a probability distribution. Then there exists a density matrix a in a 
Hilbert space 7~L with dim{T~L)) = \X\\y\\U\\V\ such that measuring a in the standard basis gives the 
distribution Pxyuv- 

Proof. Associate with each element of the standard basis {\i)}i an outcome x,y,u,v. Take a = 
Xri=F" W " V| Pi \i) (i\ where pi = Pxyuv (x, y,u,v). □ 

This tells us, that we can use d = \X\\y\\lA\\V\ in the above formula. Let us now state, that 
the key-distribution protocol is secure on any input (not only product). It furthermore reaches 
essentially the same key rate. Robustness remains, of course, unchanged. 

Theorem 9. Protocol^ is e-secure with e £ 0(2~ n ) on any input for m > n ■ h(5) and s = q ■ n < 
log 2 P gucss - m/n. It is e" -robust on (•p~'?)® n with e" G 0{2~ n ). 

Proof. This follows directly from Lemma I2T1 using Theorem [HJ □ 



8 A Specific Protocol 

While our results apply to a rather generic class of protocols (see Protocol [3]), we consider here, 
for the purpose of illustration, a specific protocol, as described below (Protocol H]) . The protocol 
is an entanglement-based quantum key distribution protocol similar to the original proposal by 
Ekert |Eke91| . 

Protocol 4. 

1. Alice creates n maximally entangled states l^ - ) = ( 1 01 ) — |10))/\/2, and sends one qubit of 
every state to Bob. 

2. Alice and Bob randomly measure the i th system in either the basis Uq or U\ (for Alice) or Vq, 
V\ or V2 (Bob); the five bases are shown in Figured! Bob flips his measurement result. They 
make sure that measurements associated with different subsystems commute. 

3. The measurement results when both measured Uo, V2 form the raw key. 

4. For the remaining k measurements they announce the results over the public authenticated 
channel and estimate the guessing probability and 5 (see Section 16. ip . If the parameters are 
such that key agreement is possible, they continue; otherwise they abort. 
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Figure 4: Alice's and Bob's measurement bases in terms of polarization used in Protocol UJ 
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P 

Figure 5: The key rate of Protocol 0] secure against device- independent quantum adversaries as 
function of the channel noise. 



5. They do information reconciliation and privacy amplification as given in Sections 16.21 and 16.31 

Our main results (in particular Theorem [9]) allow us to calculate the rate at which the protocol 
can produce a secure key, depending on the quality of the original entangled states shared by Alice 
and Bob. (This quality normally depends on the noise in the quantum channel used to distribute 
the entangled states.) For the matter of concreteness, we assume that these shared entangled states 
are mixtures consisting of a singlet (with weight 1 — p) and a fully mixed state (with weight p) . The 
resulting rate depending on the parameter p is shown in Figure [SJ 
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A The XOR as Privacy- Amplification Function 

A.l Best attack on a bit 

Of course, the analysis of Section 0] also tells us the best attack in case the function / maps X to a 
bit. However, we can give a slightly different form to calculate the distance from uniform of a bit. 
This will allow us to show an XOR-Lemma for quantum secrecy. 

Lemma 25. Let Pxz\uw be a quantum system. The distance from uniform of B = f(X) given 
Z(W) and Q := (U = u, F = f) is bounded by 

d{B\Z(W),Q) < \-b T -T\, 
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where b T ■ T* A is the optimal value of the optimization problem 



max : 



x:B=0 



Fa(x,u) — Fa(x,u) 



(7) 



x:B=l 



s.t. : A^Fa = 

■p j "p/c 
1 A — J- marg 

^ -^marg ) 

where r marg is i/ie matrix associated with the marginal system Px\u- 



Proof. Define 



r A 



2p-r 



20 



marg • 



and note that with this definition T z ° = (r marg + T<\)/(2p) and T 
The distance from uniform of a bit can be expressed as 
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(T 



marg 



r A )/(2(i-p)). 



d(B\Z(W),Q) 



+(l-p) 




r*°(x,ti) 



x:B=l 



r zo (a;,w) 



\a;:B=l x:B=0 / 



Now notice that r 2 ° and T Zl are actually quantum certificates of order k exactly if T A fulfils the 
above requirements. The conditions given by A q b the matrix T needs to fulfil are all linear and, 
therefore, because r marg fulfils them, r 2 ° and T 21 fulfil them exactly if T A does. The semi-definite 
constraints correspond exactly to the requirement that T 20 and F z ° are positive semi-definite, using 
the fact that the space of positive semi-definite matrices forms a convex cone. □ 

The above semi-definite program can be written in the following form: 



PRIMAL 

max : 

s.t. : 




1 marg 
"nfc 

1 marg 





(8) 



DUAL 
min : 

s.t. : 



( r marg) T (^l + 



- 1 ^b) 




Ai,A2 ^ 0, A3 unrestricted 



(9) 



A. 2 Best attack on a bit in terms of observable probabilities 

Any dual solution of © gives us a bound on the distance from uniform of the bit B in terms of the 
matrix elements r marg . We will now change our primal program to one where we optimize over all 
r marg compatible with the observable probabilities. The dual of this program has a solution only 
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in terms these probabilities. We then show how we can transform any dual feasible solution of this 
program into a dual feasible solution of the program above with the same value. 
The new semi-definite program we consider is the following: 



PRIMAL 



max 



s.t. 





1 


-1 \ 




-1 


-1 




A qb 










A u 


V 





Aqb / 









6 T -r A 

-< 

1 marg 



marg 



unrestricted 



(10) 









p 



x\u 




DUAL 
min : 

s.t. : 



P X\U " A4 



111 



i 



A 2 
A 3 
A 4 
V As J 

Ai,A2 y_ 0, A3,A4,A5 unrestricted 



-1 





A u A qb 



where the matrix A\j is such that Au ■ r marg = Px\u- We claim that any dual feasible solution 
of (|lip can be transformed into a dual feasible solution of ([9]) with the same objective value. The 
solution of (jlip therefore gives a bound on the distance from uniform only in terms of the observable 
probabilities. 

Lemma 26. Assume Ai, A2, A3, A4, A5 is a dual feasible solution of Then Ai,A2,A3 is a dual 

feasible solutions of (0|) reaching the same objective value. 

Proof. The condition that Ai, A2, A3 is feasible for ([9]) follows directly from the (upper row) feasibility 
condition of (jlip . To see that it reaches the same value, we use that fact that T marg is a quantum 
certificate, i.e., 



4jb-r 



marg 







and the (lower row) condition of (jlip . i.e. 

-Ai 

We then obtain 



A 2 + A[j ■ 



A4 + -4qb 



marg 



(Ai + A 2 ) 



marg 

v k T 
1 marg 

(Ad • r' 



p x\u " A4 



(A! + A 2 )+r 
( A u • A 4 + A 



T 

marg 
qb " A5) 



(-Ai 



A 2 + Afj • A 4 + A T 



qb 



As) 



marg; 



A I 



□ 



A. 3 An XOR-Lemma for quantum secrecy 

Using Lemma [TUl we can now show that the XOR of the two partially secure bits is highly secure. 
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Lemma 27. Let A\,bi,ci be the parameters associated with the semi-definite program ^ bounding 
the distance from uniform of a bit f{X\) G {0, 1} obtained from an n-party quantum system Px^U! 
where Q = {U\ = u±,F = f) Similarly associate A2,b2,C2 with the distance from uniform of a 
bit g{X2) € {0,1} obtained from an m-party quantum system Px 2 \u 2 - Then then the distance 
from uniform of the bit f{X\) © g{X2) obtained from the (n + m)-party system Px 1 x 2 \u 1 u 2 > where 
Q = (U\ = ui,U~2 = U2,F = f,G = g) is bounded by the semi-definite program A,b,c with 
A = Ai © A 2 and b = b 1 0b 2 - 

Proof. This follows form the fact that any (n + m)-party quantum system must fulfil Lemma [TU1 and 
b describing the XOR of two bits can be described as the tensor product of the ones associated with 
each of the two bits. □ 

This implies that for any dual feasible solution, the tensor product is dual feasible for the tensor 
product problem. 

Lemma 28. Let X\ be a dual feasible for (OJ) with Ai,bi,c\ associated with an n-party quantum 
system and X2 dual feasible for an m-party quantum system described by ^2,^2,02. Then X = \i®\2 
is dual feasible for A, b, c where A = A\ <8> A2 and b = b\ (8) 62- 

Proof. Ai <8> A2 fulfils the dual constraints because 

[A\ (8) A 2 ]{Xi (8) A 2 ) = h (8> b 2 ■ 

Furthermore, the tensor product of two positive semi-definite matrices is again positive semi-definite. 

□ 

We can now formulate the XOR-Lemma for quantum secrecy. 

Theorem 10 (XOR-Lemma for quantum secrecy). Let Px 1 \u 1 be an n-party quantum system and 
/(Xi) a bit such that d{f{X 1 )\Z{W),Q) < (i^i^Ai) /2 with Q = (E/i = ui,F = f). Similarly, 
associate d(g(X2)\Z(W), Q) < (P x ' 2 \ U2 X2)/2 with a bit from an m-party quantum system Px 2 \u 2 
where Q = (U2 = U2, G = g). Then the distance from uniform of f{X\) © 3(^2) obtained from the 
(n + m) -party quantum system PxxX^u^ with Q = {U\ = wi, t/ 2 = u%, F = f,G = g) is bounded 
by 

d{f{X l )@g{X 2 )\Z{W),Q) < lP XlX2lUlU2 (Xi®X 2 ) . 

Proof. This follows directly from Lemma l28l □ 

When the marginal system is of the form -Pxi|Ci &> Px 2 \u 2 > this implies that the XOR is secure, 
whenever one of the two bits is secure. 
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